Introduction
1. a) What is our definition of a host?
Any device with an IP address is a host.
b) Why is host hardening necessary?
This is necessary to protect the host against attacks.
c) What major categories of hosts did this section mention?
Servers, clients, routers, firewalls, and even many mobile phones.
d) What specific things can an attacker do if he or she takes over a firewall? The answer was not explained in the text.
If an attacker takes over a firewall, he or she can do all the things the firewall is supposed to stop, such as allow connection-opening requests initiated externally, re-route internal data to alternate paths in order to intercept and use, basically open the internal network wide up to attacks while providing the false sense that the firewall is doing its job.
e) What specific things can an attacker do if he or she takes over a router? The answer was not explained in the text.
If an attacker takes over a router, not only can he or she effectively map the entire internal network, but they can re-route traffic or reconfigure the router to cause a local DoS.
f) List the elements of host hardening.
Backup the host regularly. Without this, nothing else matters.
Restrict physical access to the host
Install the operating system with secure configuration options. In particular, be sure that all default passwords are replaced by strong passwords. Adversaries know every default password. If you fail to change even one, they can use it to get into your system immediately.
Minimize the applications and operating system services that run on the host to reduce the ability of hackers to take over the host by compromising an application or service. Minimizing the number of running programs reduces the “attack surface” of hosts.
Harden all remaining applications on the host.
Download and install patches for known operating system vulnerabilities.
Manage users, including account profiles, passwords, and other matters.
Manage access permissions for users and groups securely.
Encrypt data if appropriate.
Add a host firewall
Read operating system logs regularly to look for suspicious activities
g) Why is it important to replace default passwords during configuration?
Because anyone who knows anything about the subject will know the default password. The default password is usually the first thing an attacker will check.
h) What is a security baseline, and why is it important?
Security baselines are sets of specific actions to be taken to harden all hosts of a particular type and of particular versions within each type. This is important because it is another rule to follow to harden hosts and prevent attacks.
i) Why is the downloading of disk images of the operating system desirable compared to configuring each host individually?
This method will save labor time and cost on each subsequent installation. It also ensures that each server is properly configured according to the firm’s security baselines and general policies.
j) What does a systems administrator manage?
Systems administrators manage individual hosts or groups of hosts.
k) Does a systems administrator generally manage the network?
Systems adminstrators generally do not administer the network.
2. a) What is cloud computing?
Cloud computing utilizes processing power, applications, data storage, and other services over the Internet.
b) How do cloud computing and mainframe architectures differ?
Mainframe architectures consist of several thin clients connected to a single powerful computer called a mainframe. Thin clients are essentially a screen, keyboard, and a connection to the mainframe. Commands are sent to the mainframe where all application processing occurs, and data is stored. Computing is done locally, not over the Internet.
c) How do cloud computing and client–server architectures differ?
Stand-alone clients do not have to be connected to a mainframe. Clients can run applications and store data locally. They can also communicate with servers over the Internet and access data, applications, and additional processing power. Client–server architectures can share some of the processing too. Servers are much less expensive than mainframes and can support users at many locations as long as they had an Internet connection.
d) What are the advantages of cloud computing?
The advantages of cloud computing include reduced costs, increased reliability, quicker disaster recovery, reduced data loss, better scalability, greater agility, and better accessibility.
e) Which security concerns are specific to cloud computing? Why?
Security concerns specific to cloud computing center on the cloud service provider. Can users, or corporations, trust their cloud provider to securely store their data? Can cloud providers be trusted with critical systems? Will there be any conflicts of interest with other clients and the cloud provider? Will the cloud provider act in the company’s best interests?
f) How could attackers use cloud computing?
Attackers could use cloud computing to launch attacks, store illegal digital media, crack stolen passwords, or even host phishing scams.
Important Server Operating Systems
Windows Server Operating Systems
3. a) What is the name of Microsoft’s server operating system?
Windows Server
b) What security protections do recent versions of this operating system offer?
They intelligently minimize the number of running applications and utilities by asking the installer questions about how the server will be used. They also make the installation of vulnerability patches very simple and usually automatic. They include server software firewalls, the ability to encrypt data, and many other security enhancements.
c) Why is Microsoft Windows Server easy to learn?
Windows Server is easy to learn because the interface looks like the interfaces in client versions of Windows.
d) What are MMCs? (Do not just spell out the acronym.)
Microsoft Management Consoles (MMCs) are Microsoft Server’s administrative tools that use a consistent GUI.
e) On what object does an icon bar icon operate?
When a user selects an object in one of the two lower panes, the icons specify actions that the administrator can take on the selected object. One of the most important choices is Action, which is specific to the selected object.
f) What is in the tree pane?
It is a tree of administrative applications. The tree pane is located in the lower-left pane of GUI.
g) To what things do items in the subobject pane refer?
These things refer to objects on which actions can be taken.
h) What is a snap-in?
A snap-in is an individual application on the tree pane of an MMC that can be added or dropped from the tree list easily.
i) Why are they called snap-ins?
They are called snap-ins because they can be added or dropped from the tree list easily.
j) Why is the standardized layout of MMCs beneficial?
Standardized layouts that provide a consistent user interface make learning how to use MMCs and snap-ins relatively easy.
k) How does the systems administrator get to most administrative tool MMCs?
By following the sequence of “start,” then “programs,” and finally “administration tools.”
l) What does selecting Action do?
It shows the actions that the administrator can take on the selected object.
UNIX (Including LINUX) Servers
4. a) Why is UNIX systems security difficult to describe generally?
UNIX consists of a family of OSs that are similar in that they are compatible at the kernel level, but differ in other aspects of implementing the OS, such as implementing system security. Thus, there is no standard UNIX system security setting; each OS has its own baseline.
b) Distinguish between UNIX and LINUX.
UNIX is a family of OSs that share interoperability at the kernel level. LINUX is a specific operating system kernel used in many PCs because of its price (free).
c) What is the LINUX kernel?
The LINUX kernel is the core part of the operating system, upon which LINUX vendors provide additional software for sale or free downloads.
d) What is a LINUX distribution?
LINUX distribution consists of the LINUX kernel packaged by vendors with additional programs for added functionality. Often these additional packages are created by the GNU project for free, but packed and sold for a profit by enterprising capitalists.
e) Comment on the cost of LINUX.
The purchase price of a LINUX distribution is free or almost free. However, Total Cost of Ownership (TCO) for LINUX can be considerable, especially if there are multiple varieties of LINUX in use on a network that require product-specific knowledge to operate and secure.
f) Does a particular version of UNIX have a single user interface?
No. Even within a specific version of UNIX, the operating system software may come with several alternative user interfaces. Some of these interfaces will be graphical user interfaces (GUIs) similar to the interface of Microsoft Windows. On LINUX, there are two popular GUIs: Gnome and KDE.
g) What are UNIX CLIs called?
UNIX’s command line interfaces are called shells.
h) How are CLIs beneficial?
CLI shells use fewer resources than GUIs, so they place lower processing burdens on the computer than GUIs.
i) Why are CLIs difficult to use?
They are difficult to use because the CLIs in UNIX are picky with syntax and spacing.
Vulnerabilities and Patches
Vulnerabilities and Exploits
5. a) What is a vulnerability?
Vulnerabilities are security weaknesses that open a program to attack.
b) What is an exploit?
An exploit is a program that takes advantage of a vulnerability to allow the attacker to take over the computer or at least an individual account.
c) What is a zero-day attack?
Attacks that come before fixes are released are called zero-day attacks.
d) Why is the quick application of critical fixes important?
Because attackers usually exploit the vulnerability soon after a fix is released by a vendor.
Fixes
6. a) List the four types of fixes for vulnerabilities.
The four types of fixes for vulnerabilities are work-arounds, patches, service packs, and version upgrades.
b) Distinguish between work-arounds and patches.
Work-arounds are labor intensive processes of manual steps that systems adminstrators must take to address a vulnerability. Patches are small programs that fix a particular vulnerability. Patches fix the problem vice adjusting system configuration (as with work-arounds).
c) What is a service pack in Microsoft Windows?
These are vulnerability fixes and sometimes functionality improvements together into a single large update.
d) Why is upgrading to a new version of an operating system usually good for security?
Security problems are corrected in newer versions, and in general each newer version of an operating system has improved security. In addition, if a version is too old, the vendor will stop creating fixes for it.
The Mechanics of Patch Installation
7. a) In Windows Server 2003 and 2008, how automatic can patching be?
Windows Server 2003 has updating on the main start menu.
Windows Server 2008 can do updating automatically.
b) What patch downloading method is commonly used in LINUX?
Many LINUX vendors follow the rpm method created by Red Hat for downloading patches.
Problems with Patching
8. a) Why do firms have a difficult time applying patches?
Firms have a difficult time because firms use many application programs and vendors release many patches per product. In contrast, they only use a few operating system versions.
b) Why do many firms prioritize patches?
Firms prioritize patches by criticality. Some patches may not apply if risk analysis does not justify it.
c) How do patch management servers help?
Patch management servers help by learning what software a firm is using on its network and then actively assessing which programs on specific hosts need to be patched, and then pushes the patches to the hosts. Patch management servers can greatly reduce patching costs.
d) What two risks does patching raise?
The two risks of patching are (1) loss of functionality due to implementing a patch, and (2) some patches can negatively impact host system performance.
Managing Users and Groups
The Importance of Groups in Security Management
9. Give two reasons why assigning security measures to groups is better than assigning security measures to individuals within groups.
Applying security measures to groups takes less time than assigning them individually (and thus is cheaper).
Applying security measures in groups reduces errors in assigning security settings because group permissions are fairly obvious compared to individual permissions.
Creating and Managing Users and Groups in Windows
10. a) What Windows snap-in is used to manage users and groups?
It is the Local Users and Group snap-in.
b) On which MMC is this snap-in available?
This snap-in is available in the computer management snap-in.
c) In this snap-in, if the administrator clicks on an account, what may he or she do?
The administrator will be able to rename the account, delete it, change its security properties, or take other actions.
d) How does the administrator create a new account?
Administrators create new accounts using the Action command, entering a name, password, and other information about the account.
e) How does an administrator add an account to a group?
The administrator can select the group section instead of the user section, and from here the administrator will be able to add an account to the group.
f) How does the administrator create a new group?
In the group sections.
11. a) What privileges does the super user account have?
The super user has full access to anything on the computer. The owner of the super user account can see or do anything on the computer.
b) What is the super user account in Windows?
The super user account in Windows is called “Administrator.”
c) What is the super user account in UNIX?
It is called “root.”
d) What is hacking root, and why is it desirable to hackers?
Hacking root is taking over that super user account. This is desirable because the attacker can do whatever he wants with this type of account.
e) When should a Windows systems administrator use the Administrator account?
Administrator accounts should be used sparingly (as little as possible), and only for circumstances that merit full privileges to accomplish a task.
f) How does the administrator get to the super user account in Windows? In UNIX?
In Windows, run the RunAs command to switch to and from the super user account. In UNIX, the administrator accesses the super user account via a CLI using the su command.
Managing Permissions
Permissions
Assigning Permissions in Windows
12. a) How are permissions applied to a directory in Windows?
Permission are applied to a directory in Windows by right-clicking on file or directory in My Computer or Windows Explorer. Then select Properties, then the Security tab. Then select user or group and click on or off the six standard permissions (permit or deny).
b) List each standard Windows privilege.
They are full control, modify, read and execute, list folder contents, read, and write.
c) To how many accounts and groups can different permissions be applied in Windows?
There is no limit to the number of accounts and groups that can have different permissions applied.
d) How can inheritance reduce labor costs in assigning permissions?
Inheritance reduces labor costs in assigning permissions by receiving permissions from the parent directory. This eliminates a process of permissions being assigned by inheritance individually.
e) How can inheritance be modified?
Inheritance can be modified from the allow permissions and the deny permissions in the security tab.
f) How are a user’s effective permissions calculated for a directory?
User’s effective permissions are all those inherited from its parent directory plus any specifically allowed permission, minus those removed.
g) How would you set up a top-level directory for a firm’s public policy documents, which should be readable by all logged-in users?
At the top-level directory (public programs) assign the group called “all logged in users” read permissions.
Assigning Groups and Permissions in UNIX
13. a) What are the three UNIX permissions?
The three UNIX permissions are read, write, and execute.
b) Briefly characterize each.
Read gives the permission to read only.
Write gives permission to make changes.
Execute permits the execution of programs.
c) Compare the number of UNIX directory and file permissions with that of Windows.
UNIX allows only three directory permissions, whereas Windows allows six primary directory permissions and 13 specialized permissions.
d) To which three individual accounts or groups can permissions be assigned for a particular directory in UNIX?
They are the account owner, a single group, and all other accounts.
e) How does the number of accounts or groups to which permissions can be assigned in UNIX compare with that of Windows?
UNIX allows permissions to be assigned to three groups/accounts. Windows can give permissions to an unlimited number of individual accounts and groups.
14. a) What is brute-force password guessing?
Brute-force password guessing is an approach that tries all possible passwords on all (or selected) accounts. This approach tries all possible single-character passwords, then all possible two-character passwords, and so forth.
b) Why is it important to not simply use all lower-case letters in passwords?
It is important to not simply use all lower-case letters in passwords because that limits the possible characters in a password to only 26 (the alphabet). Thus, the possible combinations are 26^N (N = password length), much less than if all characters on a keyboard are used (75^N combinations).
c) What are complex passwords?
Complex passwords are passwords that use several types of keyboard characters—upper- and lower-case letters, digits, and special characters.
d) Why is password length important?
Longer passwords take much more time to crack than shorter passwords.
e) What is a dictionary attack?
A dictionary attack is an attack that compares passwords to lists of common words.
f) Why are dictionary attacks faster than brute-force guessing?
They only have to try a few thousand passwords, instead of millions or billions.
g) What are hybrid dictionary attacks?
Hybrid dictionary attacks try simple modifications of common words (such as Password!).
h) How are mangling rules applied to list of dictionary words?
Mangling rules are applied to each word in sequence. Each mangling rule modifies the dictionary word in order to make a possible password match. Mangling rules are created, and based on, common password patterns.
15. a) What are rainbow tables?
A rainbow table is a list of pre-computed password hashes that are indexed in an attempt to reduce the amount of time it takes to crack a password.
b) How would rainbow tables reduce the time needed to crack a password?
Indexed lists of password hashes are created from large dictionary files, or all possible combinations of characters. This results in a time–memory trade-off where more memory is used to store the pre-computed password hashes, but the time it takes to crack a password is greatly reduced
c) Would it be possible to create rainbow tables for all possible passwords with 1–20 characters? Would it be practical?
It would be technically possible to create the table. However, the number of possible combinations of known characters for a password consisting of 20 characters would be so large that the table would be practically impossible to create.
16. a) Can you create a truly random password? Will it be used?
Yes, you can create very long truly random passwords. The downside of completely random passwords is that users find them hard to remember. Users tend not to use passwords that are hard to remember.
b) Should passwords be tested by systems administrators? Why?
Internal corporate passwords should be tested by systems administrators to ensure that each user is using a sufficiently strong password. Users with weak passwords should be directed to change their password to a stronger password.
17. a) What do Trojan horse password capture programs do?
They capture passwords when the user types them.
b) Can antivirus software detect keystroke capture software?
Yes, some antivirus software can detect certain keyloggers, but not all keyloggers. The keystroke software must be included in the list of virus signatures for it to be identified by the antivirus software.
c) How would you detect a physical keylogger?
In order to detect a physical keylogger you would have to physically inspect your computer.
d) What is shoulder surfing?
Watching someone while they type passwords in order to learn the password.
e) Does the shoulder surfer have to read the entire password to be successful? Explain.
Shoulder surfers do not have to read the entire password to be successful. Just finding out some of the characteristics of the password, such as first/last letters, total number of characters, whether special characters are used, etc. makes cracking the password significantly easier as it narrows the possible range of password characteristics to be checked in a brute force attack.
Testing for Vulnerabilities
18. a) Why is vulnerability testing desirable?
Vulnerability testing is desirable because it allows network administrators to identify problems before attackers can exploit them.
b) What two things does vulnerability testing software do?
Vulnerability software can run a battery of attacks and generate reports detailing the vulnerabilities found.
c) Why is it important to get approval in writing before conducting a vulnerability test?
It is important to get approval in writing before conducting a vulnerability test because testing occasionally causes system crashes and other damage and the tester wants to be covered against repercussions.
d) What two things should this written approval specifically mention?
Specifically, the written approval should include a detailed description of what will be done along with an explanation that the tester will not be held liable for system degradation from the testing.
e) Why is it important never to diverge from the test plan when running the tests?
One should never diverge from the test plan while running tests because once you diverge, all protections provided by the test plan are negated and you can be held liable for the consequences of your actions.
Windows Client PC Security
Client PC Security Baselines
19. What different baselines does a company need for its client PCs?
A company needs security baselines for Windows XP, Vista, and Windows 7. A firm also needs security baselines for its Macintosh and UNIX desktop computers. In addition, for each client operating system, a firm may have multiple baselines, such as for desktop versus laptop computers, for in-site versus external computers, and for regular clients versus computers with especially high security needs.
The Windows Security Center
20. a) How can you quickly assess the security posture of your Windows PC?
The Windows Security Center allows a user to quickly assess the security posture of a Windows PC.
b) What provides a quick summary of security components needed to harden a client PC?
The Windows Action Center provides a quick summary of all the security components needed to harden a client PC.
c) Why are multiple types of protection necessary?
Multiple types of protection work together to provide defense in depth and protection from a variety of threats.
Windows Firewall
21. a) What SPI firewall has come with client version of Windows since Windows XP SP2?
It is called “Windows Firewall.” This SPI firewall has been included in all subsequent client versions of Windows.
b) What improvements come with Windows Firewall with Advanced Security?
Windows Firewall with Advanced Security comes with additional functionality such as custom ingress/egress rules, separate network profiles, more detailed rules, and the ability to be managed via group policy.
Automatic Updates
22. Why should updating be done completely automatically on client PCs?
Due to the shortening time between patch release and widespread use of exploits for unpatched vulnerabilities, client PCs should be configured for automatic updates.
Antivirus and Spyware Protection
23. What can go wrong with antivirus protection?
Common problems with antivirus protections include users turning off the AV program, automatic updates of virus signatures could be inadvertently turned off, or the virus program contract may expire and no new updates are coming.
Implementing Security Policy
24. a) Why is it important to implement security policy?
It is important to implement security policies because they protect computing resources. They also help minimize corporate liability and legal compliance.
b) What are the advantages of implementing password policies?
Implementing these password policies increases the effectiveness of passwords as an access control mechanism.
c) What are the advantages of implementing account policies?
Properly implemented account policies can stop certain attacks. For example, an account policy could prevent attackers from endlessly trying to guess a user’s password if the account were locked after a given number of attempts.
d) What are the advantages of implementing audit policies?
Audit policies provide systems administrators with detailed information about who caused events to occur, what they may have changed, and when the event occurred.
Protecting Notebook Computers
25. a) What are the three dangers created by notebook computer loss or theft?
The three dangers of notebook computer loss are (1) loss of capital investment, (2) loss of all data that was not backed up, and (3) loss of sensitive data.
b) When should backup be done for mobile computers?
Mobile computers should be backed up before being taken off-site and then regularly while off-site.
c) What four policies are necessary to protect sensitive information?
Limit what sensitive data can be stored on mobile PCs.
Encryption is required on all mobile PCs regardless of data content.
All mobile PCs should be protected with strong passwords, biometrics, or both.
Audit the first three policies.
d) To what should these policies be applied?
The above policies should be applied to all mobile data on notebook hard drives, USB RAM drives, MP3 players, and mobile phones that store company data.
e) What training should be provided?
The type of training that should be provided is to teach users loss and theft protection techniques.
f) What does computer recovery software do?
This software will contact the recovery company the next time the computer connects to the Internet so the recovery company can contact the local police to recover the software.
Centralized PC Security Management
26. a) Why is central PC security management desirable?
Central PC security management is desirable because ordinary users lack the knowledge to manage security on their PCs, they sometimes knowingly violate security policies, and it can often reduce cost through automation.
b) Why are standard configurations attractive?
Standard configurations are attractive because they reduce PC troubleshooting and general maintenance while affording best control over system security configuration.
c) What does NAC do when a computer attempts to connect to the network?
NAC queries the PC for information present in the Windows Security Center to determine if all updates are current, AV is loaded, and other items.
d) If a PC fails its initial health assessment, what are a NAC system’s two options?
NAC’s two options are to forbid access or provide access to a remediation server in order to fix the security issues.
e) Does NAC control usually stop after access is granted?
After access is granted the NAC will perform ongoing traffic monitoring. If the traffic after admissions indicates malware on the client, the NAC will drop or remediate.
f) What things can Windows GPOs restrict?
Windows GPOs can restrict PCs from changing standard configurations and other important policies.
g) Why are Windows GPOs powerful tools for managing security on individual Windows PCs?
GPOs are powerful tools because they can maintain a high-security standard on client PCs.
1. a) What is our definition of a host?
Any device with an IP address is a host.
b) Why is host hardening necessary?
This is necessary to protect the host against attacks.
c) What major categories of hosts did this section mention?
Servers, clients, routers, firewalls, and even many mobile phones.
d) What specific things can an attacker do if he or she takes over a firewall? The answer was not explained in the text.
If an attacker takes over a firewall, he or she can do all the things the firewall is supposed to stop, such as allow connection-opening requests initiated externally, re-route internal data to alternate paths in order to intercept and use, basically open the internal network wide up to attacks while providing the false sense that the firewall is doing its job.
e) What specific things can an attacker do if he or she takes over a router? The answer was not explained in the text.
If an attacker takes over a router, not only can he or she effectively map the entire internal network, but they can re-route traffic or reconfigure the router to cause a local DoS.
f) List the elements of host hardening.
Backup the host regularly. Without this, nothing else matters.
Restrict physical access to the host
Install the operating system with secure configuration options. In particular, be sure that all default passwords are replaced by strong passwords. Adversaries know every default password. If you fail to change even one, they can use it to get into your system immediately.
Minimize the applications and operating system services that run on the host to reduce the ability of hackers to take over the host by compromising an application or service. Minimizing the number of running programs reduces the “attack surface” of hosts.
Harden all remaining applications on the host.
Download and install patches for known operating system vulnerabilities.
Manage users, including account profiles, passwords, and other matters.
Manage access permissions for users and groups securely.
Encrypt data if appropriate.
Add a host firewall
Read operating system logs regularly to look for suspicious activities
g) Why is it important to replace default passwords during configuration?
Because anyone who knows anything about the subject will know the default password. The default password is usually the first thing an attacker will check.
h) What is a security baseline, and why is it important?
Security baselines are sets of specific actions to be taken to harden all hosts of a particular type and of particular versions within each type. This is important because it is another rule to follow to harden hosts and prevent attacks.
i) Why is the downloading of disk images of the operating system desirable compared to configuring each host individually?
This method will save labor time and cost on each subsequent installation. It also ensures that each server is properly configured according to the firm’s security baselines and general policies.
j) What does a systems administrator manage?
Systems administrators manage individual hosts or groups of hosts.
k) Does a systems administrator generally manage the network?
Systems adminstrators generally do not administer the network.
2. a) What is cloud computing?
Cloud computing utilizes processing power, applications, data storage, and other services over the Internet.
b) How do cloud computing and mainframe architectures differ?
Mainframe architectures consist of several thin clients connected to a single powerful computer called a mainframe. Thin clients are essentially a screen, keyboard, and a connection to the mainframe. Commands are sent to the mainframe where all application processing occurs, and data is stored. Computing is done locally, not over the Internet.
c) How do cloud computing and client–server architectures differ?
Stand-alone clients do not have to be connected to a mainframe. Clients can run applications and store data locally. They can also communicate with servers over the Internet and access data, applications, and additional processing power. Client–server architectures can share some of the processing too. Servers are much less expensive than mainframes and can support users at many locations as long as they had an Internet connection.
d) What are the advantages of cloud computing?
The advantages of cloud computing include reduced costs, increased reliability, quicker disaster recovery, reduced data loss, better scalability, greater agility, and better accessibility.
e) Which security concerns are specific to cloud computing? Why?
Security concerns specific to cloud computing center on the cloud service provider. Can users, or corporations, trust their cloud provider to securely store their data? Can cloud providers be trusted with critical systems? Will there be any conflicts of interest with other clients and the cloud provider? Will the cloud provider act in the company’s best interests?
f) How could attackers use cloud computing?
Attackers could use cloud computing to launch attacks, store illegal digital media, crack stolen passwords, or even host phishing scams.
Important Server Operating Systems
Windows Server Operating Systems
3. a) What is the name of Microsoft’s server operating system?
Windows Server
b) What security protections do recent versions of this operating system offer?
They intelligently minimize the number of running applications and utilities by asking the installer questions about how the server will be used. They also make the installation of vulnerability patches very simple and usually automatic. They include server software firewalls, the ability to encrypt data, and many other security enhancements.
c) Why is Microsoft Windows Server easy to learn?
Windows Server is easy to learn because the interface looks like the interfaces in client versions of Windows.
d) What are MMCs? (Do not just spell out the acronym.)
Microsoft Management Consoles (MMCs) are Microsoft Server’s administrative tools that use a consistent GUI.
e) On what object does an icon bar icon operate?
When a user selects an object in one of the two lower panes, the icons specify actions that the administrator can take on the selected object. One of the most important choices is Action, which is specific to the selected object.
f) What is in the tree pane?
It is a tree of administrative applications. The tree pane is located in the lower-left pane of GUI.
g) To what things do items in the subobject pane refer?
These things refer to objects on which actions can be taken.
h) What is a snap-in?
A snap-in is an individual application on the tree pane of an MMC that can be added or dropped from the tree list easily.
i) Why are they called snap-ins?
They are called snap-ins because they can be added or dropped from the tree list easily.
j) Why is the standardized layout of MMCs beneficial?
Standardized layouts that provide a consistent user interface make learning how to use MMCs and snap-ins relatively easy.
k) How does the systems administrator get to most administrative tool MMCs?
By following the sequence of “start,” then “programs,” and finally “administration tools.”
l) What does selecting Action do?
It shows the actions that the administrator can take on the selected object.
UNIX (Including LINUX) Servers
4. a) Why is UNIX systems security difficult to describe generally?
UNIX consists of a family of OSs that are similar in that they are compatible at the kernel level, but differ in other aspects of implementing the OS, such as implementing system security. Thus, there is no standard UNIX system security setting; each OS has its own baseline.
b) Distinguish between UNIX and LINUX.
UNIX is a family of OSs that share interoperability at the kernel level. LINUX is a specific operating system kernel used in many PCs because of its price (free).
c) What is the LINUX kernel?
The LINUX kernel is the core part of the operating system, upon which LINUX vendors provide additional software for sale or free downloads.
d) What is a LINUX distribution?
LINUX distribution consists of the LINUX kernel packaged by vendors with additional programs for added functionality. Often these additional packages are created by the GNU project for free, but packed and sold for a profit by enterprising capitalists.
e) Comment on the cost of LINUX.
The purchase price of a LINUX distribution is free or almost free. However, Total Cost of Ownership (TCO) for LINUX can be considerable, especially if there are multiple varieties of LINUX in use on a network that require product-specific knowledge to operate and secure.
f) Does a particular version of UNIX have a single user interface?
No. Even within a specific version of UNIX, the operating system software may come with several alternative user interfaces. Some of these interfaces will be graphical user interfaces (GUIs) similar to the interface of Microsoft Windows. On LINUX, there are two popular GUIs: Gnome and KDE.
g) What are UNIX CLIs called?
UNIX’s command line interfaces are called shells.
h) How are CLIs beneficial?
CLI shells use fewer resources than GUIs, so they place lower processing burdens on the computer than GUIs.
i) Why are CLIs difficult to use?
They are difficult to use because the CLIs in UNIX are picky with syntax and spacing.
Vulnerabilities and Patches
Vulnerabilities and Exploits
5. a) What is a vulnerability?
Vulnerabilities are security weaknesses that open a program to attack.
b) What is an exploit?
An exploit is a program that takes advantage of a vulnerability to allow the attacker to take over the computer or at least an individual account.
c) What is a zero-day attack?
Attacks that come before fixes are released are called zero-day attacks.
d) Why is the quick application of critical fixes important?
Because attackers usually exploit the vulnerability soon after a fix is released by a vendor.
Fixes
6. a) List the four types of fixes for vulnerabilities.
The four types of fixes for vulnerabilities are work-arounds, patches, service packs, and version upgrades.
b) Distinguish between work-arounds and patches.
Work-arounds are labor intensive processes of manual steps that systems adminstrators must take to address a vulnerability. Patches are small programs that fix a particular vulnerability. Patches fix the problem vice adjusting system configuration (as with work-arounds).
c) What is a service pack in Microsoft Windows?
These are vulnerability fixes and sometimes functionality improvements together into a single large update.
d) Why is upgrading to a new version of an operating system usually good for security?
Security problems are corrected in newer versions, and in general each newer version of an operating system has improved security. In addition, if a version is too old, the vendor will stop creating fixes for it.
The Mechanics of Patch Installation
7. a) In Windows Server 2003 and 2008, how automatic can patching be?
Windows Server 2003 has updating on the main start menu.
Windows Server 2008 can do updating automatically.
b) What patch downloading method is commonly used in LINUX?
Many LINUX vendors follow the rpm method created by Red Hat for downloading patches.
Problems with Patching
8. a) Why do firms have a difficult time applying patches?
Firms have a difficult time because firms use many application programs and vendors release many patches per product. In contrast, they only use a few operating system versions.
b) Why do many firms prioritize patches?
Firms prioritize patches by criticality. Some patches may not apply if risk analysis does not justify it.
c) How do patch management servers help?
Patch management servers help by learning what software a firm is using on its network and then actively assessing which programs on specific hosts need to be patched, and then pushes the patches to the hosts. Patch management servers can greatly reduce patching costs.
d) What two risks does patching raise?
The two risks of patching are (1) loss of functionality due to implementing a patch, and (2) some patches can negatively impact host system performance.
Managing Users and Groups
The Importance of Groups in Security Management
9. Give two reasons why assigning security measures to groups is better than assigning security measures to individuals within groups.
Applying security measures to groups takes less time than assigning them individually (and thus is cheaper).
Applying security measures in groups reduces errors in assigning security settings because group permissions are fairly obvious compared to individual permissions.
Creating and Managing Users and Groups in Windows
10. a) What Windows snap-in is used to manage users and groups?
It is the Local Users and Group snap-in.
b) On which MMC is this snap-in available?
This snap-in is available in the computer management snap-in.
c) In this snap-in, if the administrator clicks on an account, what may he or she do?
The administrator will be able to rename the account, delete it, change its security properties, or take other actions.
d) How does the administrator create a new account?
Administrators create new accounts using the Action command, entering a name, password, and other information about the account.
e) How does an administrator add an account to a group?
The administrator can select the group section instead of the user section, and from here the administrator will be able to add an account to the group.
f) How does the administrator create a new group?
In the group sections.
11. a) What privileges does the super user account have?
The super user has full access to anything on the computer. The owner of the super user account can see or do anything on the computer.
b) What is the super user account in Windows?
The super user account in Windows is called “Administrator.”
c) What is the super user account in UNIX?
It is called “root.”
d) What is hacking root, and why is it desirable to hackers?
Hacking root is taking over that super user account. This is desirable because the attacker can do whatever he wants with this type of account.
e) When should a Windows systems administrator use the Administrator account?
Administrator accounts should be used sparingly (as little as possible), and only for circumstances that merit full privileges to accomplish a task.
f) How does the administrator get to the super user account in Windows? In UNIX?
In Windows, run the RunAs command to switch to and from the super user account. In UNIX, the administrator accesses the super user account via a CLI using the su command.
Managing Permissions
Permissions
Assigning Permissions in Windows
12. a) How are permissions applied to a directory in Windows?
Permission are applied to a directory in Windows by right-clicking on file or directory in My Computer or Windows Explorer. Then select Properties, then the Security tab. Then select user or group and click on or off the six standard permissions (permit or deny).
b) List each standard Windows privilege.
They are full control, modify, read and execute, list folder contents, read, and write.
c) To how many accounts and groups can different permissions be applied in Windows?
There is no limit to the number of accounts and groups that can have different permissions applied.
d) How can inheritance reduce labor costs in assigning permissions?
Inheritance reduces labor costs in assigning permissions by receiving permissions from the parent directory. This eliminates a process of permissions being assigned by inheritance individually.
e) How can inheritance be modified?
Inheritance can be modified from the allow permissions and the deny permissions in the security tab.
f) How are a user’s effective permissions calculated for a directory?
User’s effective permissions are all those inherited from its parent directory plus any specifically allowed permission, minus those removed.
g) How would you set up a top-level directory for a firm’s public policy documents, which should be readable by all logged-in users?
At the top-level directory (public programs) assign the group called “all logged in users” read permissions.
Assigning Groups and Permissions in UNIX
13. a) What are the three UNIX permissions?
The three UNIX permissions are read, write, and execute.
b) Briefly characterize each.
Read gives the permission to read only.
Write gives permission to make changes.
Execute permits the execution of programs.
c) Compare the number of UNIX directory and file permissions with that of Windows.
UNIX allows only three directory permissions, whereas Windows allows six primary directory permissions and 13 specialized permissions.
d) To which three individual accounts or groups can permissions be assigned for a particular directory in UNIX?
They are the account owner, a single group, and all other accounts.
e) How does the number of accounts or groups to which permissions can be assigned in UNIX compare with that of Windows?
UNIX allows permissions to be assigned to three groups/accounts. Windows can give permissions to an unlimited number of individual accounts and groups.
14. a) What is brute-force password guessing?
Brute-force password guessing is an approach that tries all possible passwords on all (or selected) accounts. This approach tries all possible single-character passwords, then all possible two-character passwords, and so forth.
b) Why is it important to not simply use all lower-case letters in passwords?
It is important to not simply use all lower-case letters in passwords because that limits the possible characters in a password to only 26 (the alphabet). Thus, the possible combinations are 26^N (N = password length), much less than if all characters on a keyboard are used (75^N combinations).
c) What are complex passwords?
Complex passwords are passwords that use several types of keyboard characters—upper- and lower-case letters, digits, and special characters.
d) Why is password length important?
Longer passwords take much more time to crack than shorter passwords.
e) What is a dictionary attack?
A dictionary attack is an attack that compares passwords to lists of common words.
f) Why are dictionary attacks faster than brute-force guessing?
They only have to try a few thousand passwords, instead of millions or billions.
g) What are hybrid dictionary attacks?
Hybrid dictionary attacks try simple modifications of common words (such as Password!).
h) How are mangling rules applied to list of dictionary words?
Mangling rules are applied to each word in sequence. Each mangling rule modifies the dictionary word in order to make a possible password match. Mangling rules are created, and based on, common password patterns.
15. a) What are rainbow tables?
A rainbow table is a list of pre-computed password hashes that are indexed in an attempt to reduce the amount of time it takes to crack a password.
b) How would rainbow tables reduce the time needed to crack a password?
Indexed lists of password hashes are created from large dictionary files, or all possible combinations of characters. This results in a time–memory trade-off where more memory is used to store the pre-computed password hashes, but the time it takes to crack a password is greatly reduced
c) Would it be possible to create rainbow tables for all possible passwords with 1–20 characters? Would it be practical?
It would be technically possible to create the table. However, the number of possible combinations of known characters for a password consisting of 20 characters would be so large that the table would be practically impossible to create.
16. a) Can you create a truly random password? Will it be used?
Yes, you can create very long truly random passwords. The downside of completely random passwords is that users find them hard to remember. Users tend not to use passwords that are hard to remember.
b) Should passwords be tested by systems administrators? Why?
Internal corporate passwords should be tested by systems administrators to ensure that each user is using a sufficiently strong password. Users with weak passwords should be directed to change their password to a stronger password.
17. a) What do Trojan horse password capture programs do?
They capture passwords when the user types them.
b) Can antivirus software detect keystroke capture software?
Yes, some antivirus software can detect certain keyloggers, but not all keyloggers. The keystroke software must be included in the list of virus signatures for it to be identified by the antivirus software.
c) How would you detect a physical keylogger?
In order to detect a physical keylogger you would have to physically inspect your computer.
d) What is shoulder surfing?
Watching someone while they type passwords in order to learn the password.
e) Does the shoulder surfer have to read the entire password to be successful? Explain.
Shoulder surfers do not have to read the entire password to be successful. Just finding out some of the characteristics of the password, such as first/last letters, total number of characters, whether special characters are used, etc. makes cracking the password significantly easier as it narrows the possible range of password characteristics to be checked in a brute force attack.
Testing for Vulnerabilities
18. a) Why is vulnerability testing desirable?
Vulnerability testing is desirable because it allows network administrators to identify problems before attackers can exploit them.
b) What two things does vulnerability testing software do?
Vulnerability software can run a battery of attacks and generate reports detailing the vulnerabilities found.
c) Why is it important to get approval in writing before conducting a vulnerability test?
It is important to get approval in writing before conducting a vulnerability test because testing occasionally causes system crashes and other damage and the tester wants to be covered against repercussions.
d) What two things should this written approval specifically mention?
Specifically, the written approval should include a detailed description of what will be done along with an explanation that the tester will not be held liable for system degradation from the testing.
e) Why is it important never to diverge from the test plan when running the tests?
One should never diverge from the test plan while running tests because once you diverge, all protections provided by the test plan are negated and you can be held liable for the consequences of your actions.
Windows Client PC Security
Client PC Security Baselines
19. What different baselines does a company need for its client PCs?
A company needs security baselines for Windows XP, Vista, and Windows 7. A firm also needs security baselines for its Macintosh and UNIX desktop computers. In addition, for each client operating system, a firm may have multiple baselines, such as for desktop versus laptop computers, for in-site versus external computers, and for regular clients versus computers with especially high security needs.
The Windows Security Center
20. a) How can you quickly assess the security posture of your Windows PC?
The Windows Security Center allows a user to quickly assess the security posture of a Windows PC.
b) What provides a quick summary of security components needed to harden a client PC?
The Windows Action Center provides a quick summary of all the security components needed to harden a client PC.
c) Why are multiple types of protection necessary?
Multiple types of protection work together to provide defense in depth and protection from a variety of threats.
Windows Firewall
21. a) What SPI firewall has come with client version of Windows since Windows XP SP2?
It is called “Windows Firewall.” This SPI firewall has been included in all subsequent client versions of Windows.
b) What improvements come with Windows Firewall with Advanced Security?
Windows Firewall with Advanced Security comes with additional functionality such as custom ingress/egress rules, separate network profiles, more detailed rules, and the ability to be managed via group policy.
Automatic Updates
22. Why should updating be done completely automatically on client PCs?
Due to the shortening time between patch release and widespread use of exploits for unpatched vulnerabilities, client PCs should be configured for automatic updates.
Antivirus and Spyware Protection
23. What can go wrong with antivirus protection?
Common problems with antivirus protections include users turning off the AV program, automatic updates of virus signatures could be inadvertently turned off, or the virus program contract may expire and no new updates are coming.
Implementing Security Policy
24. a) Why is it important to implement security policy?
It is important to implement security policies because they protect computing resources. They also help minimize corporate liability and legal compliance.
b) What are the advantages of implementing password policies?
Implementing these password policies increases the effectiveness of passwords as an access control mechanism.
c) What are the advantages of implementing account policies?
Properly implemented account policies can stop certain attacks. For example, an account policy could prevent attackers from endlessly trying to guess a user’s password if the account were locked after a given number of attempts.
d) What are the advantages of implementing audit policies?
Audit policies provide systems administrators with detailed information about who caused events to occur, what they may have changed, and when the event occurred.
Protecting Notebook Computers
25. a) What are the three dangers created by notebook computer loss or theft?
The three dangers of notebook computer loss are (1) loss of capital investment, (2) loss of all data that was not backed up, and (3) loss of sensitive data.
b) When should backup be done for mobile computers?
Mobile computers should be backed up before being taken off-site and then regularly while off-site.
c) What four policies are necessary to protect sensitive information?
Limit what sensitive data can be stored on mobile PCs.
Encryption is required on all mobile PCs regardless of data content.
All mobile PCs should be protected with strong passwords, biometrics, or both.
Audit the first three policies.
d) To what should these policies be applied?
The above policies should be applied to all mobile data on notebook hard drives, USB RAM drives, MP3 players, and mobile phones that store company data.
e) What training should be provided?
The type of training that should be provided is to teach users loss and theft protection techniques.
f) What does computer recovery software do?
This software will contact the recovery company the next time the computer connects to the Internet so the recovery company can contact the local police to recover the software.
Centralized PC Security Management
26. a) Why is central PC security management desirable?
Central PC security management is desirable because ordinary users lack the knowledge to manage security on their PCs, they sometimes knowingly violate security policies, and it can often reduce cost through automation.
b) Why are standard configurations attractive?
Standard configurations are attractive because they reduce PC troubleshooting and general maintenance while affording best control over system security configuration.
c) What does NAC do when a computer attempts to connect to the network?
NAC queries the PC for information present in the Windows Security Center to determine if all updates are current, AV is loaded, and other items.
d) If a PC fails its initial health assessment, what are a NAC system’s two options?
NAC’s two options are to forbid access or provide access to a remediation server in order to fix the security issues.
e) Does NAC control usually stop after access is granted?
After access is granted the NAC will perform ongoing traffic monitoring. If the traffic after admissions indicates malware on the client, the NAC will drop or remediate.
f) What things can Windows GPOs restrict?
Windows GPOs can restrict PCs from changing standard configurations and other important policies.
g) Why are Windows GPOs powerful tools for managing security on individual Windows PCs?
GPOs are powerful tools because they can maintain a high-security standard on client PCs.